Skip to main content

Cisco Vulnerability Management Source

icon

Cisco Vulnerability Management, formerly known as Kenna Security, provides you with the necessary contextual insights and threat intelligence to proactively intercept and respond effectively to potential exploits. The Cisco Vulnerability Management integration collects assets and vulnerability data from the Cisco API.

note

This source is available in the Fed deployment.

Data collected‚Äč

Polling IntervalData
24 hoursAsset
24 hoursVulnerability

Setup‚Äč

Vendor configuration‚Äč

You'll need a Cisco Base URL and API Key to configure the integration.

The Base URL is required to interact with the Cisco API. You can determine this by looking at the format of the subdomain for your subscription. For example, https://apidocs.kennasecurity.com/reference/welcome.

To generate an API Key, follow these steps:

note

Only administrators are allowed to retrieve the key. For more information, refer to Kenna Security API Authentication.

  1. Sign in to the Kenna Security platform.
  2. Click on the settings menu in the upper right-hand corner.
  3. Select API Keys from the dropdown that appears. Administrators can create, change, or revoke API keys from this menu.
  4. Copy and save the generated API Keys. If lost, an admin will need to generate a new key in order to copy and distribute the key.

Source configuration‚Äč

  1. In Sumo Logic, select Manage Data > Collection > Collection.
  2. On the Collectors page, click Add Source next to a Hosted Collector.
  3. Search for and select Cisco Vulnerability Management.
  4. Enter a Name for the Source. The description is optional.
  5. (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  6. Forward to SIEM. Check the checkbox to forward your data to Cloud SIEM.
  7. (Optional) Fields. Click the +Add link to add custom log metadata Fields.
    • Define the fields you want to associate, each field needs a name (key) and value.
      • green check circle.png A green circle with a checkmark is shown when the field exists and is enabled in the Fields table schema.
      • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
  8. Base URL. Provide your Cisco Vulnerability Management customer-specific domain, for example, https://api.kennasecurity.com.
  9. API Key. Enter the Cisco Vulnerability Management API key.
  10. Data Collection. Select one or more of the data types, Assets and Vulnerabilities.
  11. When you are finished configuring the Source, click Save.

JSON schema‚Äč

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for more details. 

ParameterTypeValueRequiredDescription
schemaRefJSON Object{"type":"Cisco Vulnerability Management"}YesDefine the specific schema type.
sourceTypeString"Universal"YesType of source.
configJSON ObjectConfiguration objectYesSource type specific values.

Configuration Object‚Äč

ParameterTypeRequiredDefaultDescriptionExample
nameStringYesnullType a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source."mySource"
descriptionStringNonullType a description of the source."Testing source"
categoryStringNonullType a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details."mySource/test"
fieldsJSON ObjectNonullJSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.{"_siemForward": false, "fieldA": "valueA"}
base_URLStringYesnullBase URL to connect endpoints. "events.1password.com"
apiKeyStringYesnullProvide the Cisco Vulnerability Management API token you want to use to authenticate collection requests. "acsac25$"
dataCollection[]StringYesnullDefine one or more of the available data source to collect from. ["Vulnerabilities","Assets"]

JSON example‚Äč

{
"api.version": "v1",
"source": {
"config": {
"name": "Cisco Vulnerability Management",
"description": "Cisco Vulnerability Management",
"category": "Cisco Vulnerability Management",
"baseURL": "api.domain.com",
"apiKey": "XXXgXXXXXXXxfkNsaXXXXo8VqkXXXixRf5VlnwcXXXXXchX",
"dataCollection": [
"assets",
"vulnerabilities"
]
},
"schemaRef": {
"type": "Cisco Vulnerability Management"
},
"sourceType": "Universal"
}
}

Download example

Terraform example‚Äč

resource "sumologic_cloud_to_cloud_source" "cisco_vulnerability_management_source" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Cisco Vulnerability Management"
}
config = jsonencode({
"name": "Cisco Vulnerability Management",
"description": "Cisco Vulnerability Management",
"category": "Cisco Vulnerability Management",
"baseURL": "api.domain.com",
"apiKey": "XXXgXXXXXXXxfkNsaXXXXo8VqkXXXixRf5VlnwcXXXXXchX",
"dataCollection": [
"assets",
"vulnerabilities"
]
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}

Download example

Limitations‚Äč

The Search Assets and Vulnerabilities API has a restriction that allows access to just 20 pages of records in its response. We follow the API's suggestion of using a page limit of 5000. So, if the API sends us more than 20 pages of data, our integration will only handle the first 100,000 records, and the rest of the records won't be accessible.

FAQ‚Äč

info

Click here for more information about Cloud to Cloud sources.

Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.